[TOOL] Taranis, Switch Specific Sniffer

From: support@securiteam.com
Date: 08/22/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [TOOL] Taranis, Switch Specific Sniffer
Message-Id: <20010822111945.D7CED138BF@mail.der-keiler.de>
Date: Wed, 22 Aug 2001 13:19:45 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Taranis, Switch Specific Sniffer
------------------------------------------------------------------------

DETAILS

Taranis is a tool that demonstrates the necessity of strong cryptography
and authentication on local Ethernet networks. Taranis will steal username
/ password pairs by redirecting traffic intended for the POP or IMAP
server to the host running Taranis. Once this is achieved, the login
information is saved to a file.

Taranis redirects traffic on switch hardware by sending spoofed Ethernet
traffic. This is not the same as an ARP poisoning attack as it affects
only the switch, and does not rely on ARP packets. In addition, it is
virtually invisible because the packets it sends are not seen on any other
port on the switch. Evading detection by an IDS that may be listening on a
monitoring port is as simple as changing the type of packet that is sent
by the packet spoofing thread.

ADDITIONAL INFORMATION

The tool can be downloaded from:
 <http://www.bitland.net/taranis/> http://www.bitland.net/taranis/

The information has been provided by <mailto:jwilkins@bitland.net>
Jonathan Wilkins.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Catalyst 4000 - Ciscos Response
    ... on a variety of factors such as Switch load and traffic patterns. ... Flooding packets ... database on the switch containing switch ports and the MAC addresses sourced ... Sniffer is on a different port than the workstation and servers. ...
    (Bugtraq)
  • Re: Company network slowdown
    ... if the 802.3 Ethernet packets were well formed and contained MAC ... I tired Ethereal, a Network General Sniffer, NT ... This was in the days when hubs were in fashion and switches ... >not go through a store and forward switch. ...
    (alt.internet.wireless)
  • Re: Duplicate Echo Replies with Channel Bonding
    ... In this mode both interfaces receive packets, ... >When both eth0 and eth1 are up and I ping from Host C to Host A I get ... >The destination network 192.168.120.0/24 exists on both Router A and ... Switch B does not have the MAC address in its MAC address table ...
    (RedHat)
  • Experts Help Please Settle Arguement - Hub or Switch if ISP offers several IPs
    ... you don't use a switch in this kind of arrangement. ... Switches break the network into segments but hubs broadcast to everyone ... Switches an algorithim for routing packets at Layer 2. ... When the switch realizes User A was the wrong destination, ...
    (alt.internet.wireless)
  • Re: Experts Help Please Settle Arguement - Hub or Switch if ISP offers several IPs
    ... you don't use a switch in this kind of arrangement. ... >Switches an algorithim for routing packets at Layer 2. ... >response is sent back to the hub from the right destination node. ... Note that I show an 8 port hub in the top drawing instead of a switch. ...
    (alt.internet.wireless)